From 97af7d892c916656cee1e64765c7f7a628912797 Mon Sep 17 00:00:00 2001 From: Quentin Young Date: Sat, 21 Dec 2019 20:19:47 -0500 Subject: [PATCH] pimd: readd iph length checks Kernel might not hand us a bad packet, but better safe than sorry here. Validate the IP header length field. Also adds an additional check that the packet length is sufficient for an IGMP packet, and a check that we actually have enough for an ip header at all. Signed-off-by: Quentin Young --- pimd/pim_igmp.c | 22 +++++++++++++++------- pimd/pim_mroute.c | 3 +++ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/pimd/pim_igmp.c b/pimd/pim_igmp.c index 7dfd26ea65..d87cea0d35 100644 --- a/pimd/pim_igmp.c +++ b/pimd/pim_igmp.c @@ -478,10 +478,24 @@ int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len) ip_hdr->ip_p); } + if (ip_hlen > len) { + zlog_warn( + "IGMP packet header claims size %zu, but we only have %zu bytes", + ip_hlen, len); + return -1; + } + igmp_msg = buf + ip_hlen; - msg_type = *igmp_msg; igmp_msg_len = len - ip_hlen; + if (igmp_msg_len < PIM_IGMP_MIN_LEN) { + zlog_warn("IGMP message size=%d shorter than minimum=%d", + igmp_msg_len, PIM_IGMP_MIN_LEN); + return -1; + } + + msg_type = *igmp_msg; + if (PIM_DEBUG_IGMP_PACKETS) { zlog_debug( "Recv IGMP packet from %s to %s on %s: ttl=%d msg_type=%d msg_size=%d", @@ -489,12 +503,6 @@ int pim_igmp_packet(struct igmp_sock *igmp, char *buf, size_t len) msg_type, igmp_msg_len); } - if (igmp_msg_len < PIM_IGMP_MIN_LEN) { - zlog_warn("IGMP message size=%d shorter than minimum=%d", - igmp_msg_len, PIM_IGMP_MIN_LEN); - return -1; - } - switch (msg_type) { case PIM_IGMP_MEMBERSHIP_QUERY: { int max_resp_code = igmp_msg[1]; diff --git a/pimd/pim_mroute.c b/pimd/pim_mroute.c index f7f4b54aea..6472de42d4 100644 --- a/pimd/pim_mroute.c +++ b/pimd/pim_mroute.c @@ -585,6 +585,9 @@ static int pim_mroute_msg(struct pim_instance *pim, const char *buf, struct in_addr ifaddr; struct igmp_sock *igmp; + if (buf_size < (int)sizeof(struct ip)) + return 0; + ip_hdr = (const struct ip *)buf; if (ip_hdr->ip_p == IPPROTO_IGMP) { -- 2.39.5